Monday, January 11, 2010

Common Criteria = Common Crock

The Common Criteria certification is a crock in my opinion. Same goes for FIPS and many other software certifications. I completely agree with Bruce Schneier's comment that "no one really understands what a certification means". (You can follow the original post and ensuing debate here: http://www.google.com/sidewiki/entry/jackson.shaw/id/phlOFw-lA4N3-4D29Irgve-yH_c)

These certifications are extremely costly. The ones I have been involved in end up exceeding $100,000 and the certification is valid only for that particular version. In this day and age most software companies are releasing new software versions every 6-8 months. I can't afford to re-certify for every major and minor release.

One of the benefits to software companies was that government agencies were supposedly required to only purchase Common Criteria or FIPS certified products. Guess what? They don't. They get around those requirements pretty easily with all kinds of excuses. So, why should a software company bother?

1 comment:

Einar said...

Nice post Jackson. I mostly agree. One problem is that there are still many agencies that will still list Common Criteria as a requirement in their RFPs, which gets various sales/presales personnel geared up about certifying products accordingly. Almost wish that they chose one way or the other: either go with CC or drop it all together, such as to avoid confusion and lost moneys (spent on certifications).

Einar